As a reminder, this is the stable series of the Tor Browser Bundle. It does not include the Pluggable Transport support mentioned in the 3.6 release post, and in this release MacOS archives are still in zip format. If you would like those features, we encourage you to use 3.6-beta-1 instead, and report any issues you encounter.

A list of frequently encountered known issues with the Tor Browser can be found on our bugtracker. Please check that list and help us diagnose and arrive at solutions for those issues before contacting support.

You don't need a zip package, the installer doesn't write anything to registry.
I've checked it with RegShot before and after running the installer.

On March 19th, 2014 Anonymous said:

why has this update still saying need update ? is there some sort of spoofing attack in progress ?

On March 19th, 2014 arma said:

Did you unpack your new one over your old one? If you do that (to be clear, you shouldn't) then it might get confused and try to remind you about needing an update.

https://trac.torproject.org/projects/tor/ticket/11242

On March 20th, 2014 Anonymous said:

thank for reply... i did remove the old version and install new version as i always have done for years with no problem... btw i used the new tor browser bundle today after my reported experience and it seem the issue has gone away :D

On March 19th, 2014 Anonymous said:

Why don't you turn on TLS 1.1 and 1.2 in the browser?

On March 23rd, 2014 Anonymous said:

TBB uses Firefox ESR. Current version is 24.4.0.

TLS 1.1 and TLS 1.2 were not enabled by default until Firefox 27.

Next Firefox ESR release will be 31.

On March 23rd, 2014 arma said:

Yep. See also https://bugs.torproject.org/11253

On March 19th, 2014 Anonymous said:

Thanks for TBB!

On March 20th, 2014 Anonymous said:

Whats wrong with you?
We dont want install TBB like a program.
We need an portable TBB!

On March 21st, 2014 arma said:

It is portable -- the location you install to is a portable TBB. Move it around however you like.

On March 23rd, 2014 Anonymous said:

"What's wrong with you?"

I'm afraid that the question, more appropriately, appears to be:
What's wrong with you?

On March 20th, 2014 Anonymous said:

This might be a total noob question, but what's the difference between exporting bookmarks to an HTML file, versus backing up bookmarks to a JSON file?

I ask because everytime I download a newer version of the TBB, I have to re-populate the bookmarks menu.

Thanks for all the work you guys do.

On March 20th, 2014 Anonymous said:

From what I could find, restoring from JSON will replace your bookmarks with only what is in the backup file. Using a HTML backup will just add to your existing bookmarks. (source: https://support.mozilla.org/en-US/questions/950445)

It sounds like you know how to do so, but just in case: restoring bookmarks can be done the Show All Bookmarks window (Ctrl+Shift+O). To restore from JSON, use the "Import and Backup" -> "restore" -> "Choose File" and to restore bookmarks from HTML, use "Import and Backup" -> "Import Bookmarks from HTML."

On March 20th, 2014 Anonymous said:

Can I just overwrite the Pluggabe-TBB with this TBB?

On March 21st, 2014 arma said:

Overwriting TBBs will have unpredictable effects currently. See the same question farther down this page.

On March 21st, 2014 Anonymous said:

Yeah, overwriting TBB's will cause issues ranging from wrong version of X extension to just not wanting to boot up.

I've pretty much resigned myself to "Have to go the clean installation in a new directory and just import bookmarks!" route when I am updating to a new TBB.

Could someone from Tor please advise if there are any 'Services' that start up automatically which, for the sake of security, users should either change to 'manual' or even 'disable'. Equally, are there any that we should not change to 'manual' or 'disable'?

Thanks

On March 21st, 2014 Anonymous said:

I'm on Windows XP and found that this issue of Tor has repeatedly either made my PC crash and/or can't be opened at all that I have to resort to 'nude' browsing with Firefox. Is it something to do with the software? This is something very abnormal, never experienced something like this before after some 8 years and I've checked that everything else should be normal.

On March 21st, 2014 Anonymous said:

I'm download a file from hyperspeeds.com at 1.2 MB/s using the latest version of Tor. That doesn't seem possible. Is there something wrong with my program?

On March 25th, 2014 Anonymous said:

1MByte or 1Mbit?

On March 26th, 2014 arma said:

Either of them are plausible speeds to get over Tor at times these days.

On March 26th, 2014 Anonymous said:

That speed is unlikely, but not impossible.
Go to the below URL to verify that Tor is working as it should:

https://check.torproject.org/

On March 21st, 2014 Anonymous said:

I can't open .onion websites, only "regular" websites. Why? It's a security problem?

On March 25th, 2014 Anonymous said:

Check clock, date, timezone settings.

On March 26th, 2014 Anonymous said:

Possibly. Check if Tor is working as it should:

https://check.torproject.org/

If it says you are not running Tor, when you most likely aren't.

On March 21st, 2014 Anonymous said:

Just got to the new TBB but every time I try to open it, I repeatedly get "Tor Unexpectedly Exited-Please Restart This Application" with a mini window saying "Tor Launcher-Tor Unexpectedly Exited". Sorry for the noobie question, but this is the first TBB that has done this and I want to get back to my browsing!

On March 24th, 2014 Anonymous said:

What OS?

On March 26th, 2014 Anonymous said:

OS X version 10.9.2

On March 26th, 2014 arma said:

Does https://www.torproject.org/docs/faq#SophosOnMac help you?

On March 21st, 2014 Anonymous said:

I can run Tor-browser-2.3 on very old hardware: AMD K6-2 @ 500 Mhz - RAM: 384 MB.
Starting with version 3.5, Tor will not run on this old computer, it fails when trying to install it, and if I install it on a newer PC and create a zip package to extract in the old one, it also fails when launching "Start Tor Browser.exe"

I have Firefox 28 installed and running in this old machine, so the problem is with Tor.
Is this new version using SSE2 instructions?
Any chance to fix Tor to work again with old hardware?

On March 22nd, 2014 Anonymous said:

Wow, I haven't seen mention of that processor family in years.

A few things:

a) The Mozilla Firefox binaries are built with Visual Studio not GCC, which does code generation differently. It is worth noting that the official binaries for Linux built with gcc target i686 and will also not execute on your processor family.

b) There is more that is lacking in K6-2 versus what is expected of a modern ia32 processor than just SSE2. The relevant instructions in this case would be CMOV/FCMOV, introduced for the Pentium Pro.

If you can convince the developers that building the bundle with an i586 target is worth the time, then it should work (for now), though it is unlikely that they can spare build engineer time for that task.

No matter what Pentium family AMD K6-2 is closer, it doesn't support all i686 instructions. Compiling for i686 platform means using of CMOV instruction.

https://www.mozilla.org/en-US/firefox/28.0/system-requirements/
Mozilla claims needs of Pentium 4 or newer processor that supports SSE2.
It's probably bug that it's still works for AMD K6-2, in result.

On March 27th, 2014 Anonymous said:

Problem with AMD K6-2 began when TBB developers started building with gcc instead of cl (Visual Studio).
Up to TBB 2.4.18-rc-1 they used cl as Mozilla developers, but target never changed, also was i686 with cl, so the "bug" is due to gcc.
I've checked with "about:buildconfig" that up to Firefox 2-0-0-x target is i586, and starting with Firefox 3-0-x target is i686.
From Firefox 3.0.x to 3.6.x Minimum Hardware Requirements are the same:Pentium 233 MHz (Recommended: Pentium 500MHz or greater)
64 MB RAM (Recommended: 128 MB RAM or greater) ...
https://www.mozilla.org/en-US/firefox/3.0/system-requirements/
https://www.mozilla.org/en-US/firefox/3.6/system-requirements/
So, if it is a bug that Firefox 28 runs perfectly with AMD K6, this bug is seven years old. ;)
Starting with Firefox 4, they only listed "Recommended" Hardware (not Minimum)https://www.mozilla.org/en-US/firefox/4.0/system-requirements/
By the way, SeaMonkey still has a "Minimum" Hardware requirements page...Pentium 233 MHz (Recommended: Pentium 500MHz or greater)...
http://www.seamonkey-project.org/releases/seamonkey2.25/#install

Now I've tested latest TBB 3-5-3 with a Pentium III @ 450 Mhz and it works fine!

On March 28th, 2014 Anonymous said:

It's no brain to use tor with WinXP even if AMD K6, at least it's possible to find some another browser and to compile all for i586.
Try to use with i486 with almost zero ram and win98 if you want extremal experience.

On March 29th, 2014 Anonymous said:

"at least it's possible to find some another browser"

Using Tor with any other browser besides Firefox/Iceweasel is explicitly NOT supported and not recommended.

"win98"

Windows 98 (as well as Windows 2000 and very soon Windows XP as well) has not been supported with critical security updates for years now. Using any unsupported OS is downright dangerous. (with the possible exception of a strictly NON-NETWORKED box).

On March 29th, 2014 Anonymous said:

win98 most usable and securest OS ever!!!!!!!!!!!

On March 29th, 2014 Anonymous said:

"Firefox/Iceweasel is explicitly NOT supported and not recommended."
Firefox dropped 32bit platforms actually. You need to have more than 4GB of virtual memory to build browser.
It's wrong that such browser only supported, overbloated software with kludges and security holes by design.

On March 26th, 2014 Anonymous said:

This is documented in http://gcc.gnu.org/bugzilla/show_bug.cgi?id=8243

The bug in question is discussing pre-Nehemiah VIA C3, but the brain damage is the same in the K6-2. Code generated with -march=i686 by gcc will use CMOV, and will fail on your processor.

I doubt the tor build people would ever use cl (Visual Studio) to build TBB again as well, given all of the work that has been done on deterministic builds.

On March 30th, 2014 Anonymous said:

Interesting details about CMOV
http://ondioline.org/mail/cmov-a-bad-idea-on-out-of-order-cpus
Then why GCC so hardly tries to use CMOV? Without option to selectively disable it even.
Discuss.

On March 30th, 2014 Anonymous said:

This is orthogonal to "AMD K6-2 is a potato and is unsupported by TBB binary packages", but ok, I'll bite.

For what it's worth on Ivy Bridge Linus' synthetic benchmark is faster with CMOV, so there's that (I did increase the iteration count up since the code as is was fairly inconclusive).

There are certainly cases where CMOV would be a bad idea, and the Intel 64 and IA-32 Architectures Optimization Reference Manual has a detailed description of the tradeoffs. There's also at least one GCC bug open regarding cases where CMOV is used when it should not http://gcc.gnu.org/bugzilla/show_bug.cgi?id=56309

There was a patch back in the 2.4.x kernel days (when not-quite Pentium Pro "i686" processors were relevant) that trapped illegal instructions and emulated CMOV in software to allow binaries to run with *terrible* performance for situations like "oh god, fsck on my rescue image is i686 targeted and I have a dinky AMD processor", but it didn't get mainlined AFAIK.

On March 31st, 2014 Anonymous said:

So no profit to use CMOV for such apps like Firefox.
CMOV is optional extension, after all.

On March 22nd, 2014 Anonymous said:

Try to use Tails
https://tails.boum.org/
It's better than no nothing, if it will work for you.

On March 23rd, 2014 Anonymous said:

Run Tails with only 384 MB of RAM?

I don't think so.

On March 23rd, 2014 Anonymous said:

Yeah.
https://tails.boum.org/doc/about/requirements/index.en.html
1 GB of RAM to work smoothly. Tails is known to work with less memory but you might experience strange behaviours or crashes.

But why not to try.

On March 23rd, 2014 Anonymous said:

If to stop no need services while to keep tor. Then possible to surf some pages even.

If you need Tor enough to consider a change of operating system, I'd recommend Puppy Linux. Its designed for getting the best performance out of old hardware with very limited RAM and the new Tor Browser bundles work on it. Warning: default user is root - you may want to downgrade to user "spot" via command line for security.

On March 29th, 2014 Anonymous said:

"Warning: default user is root - you may want to downgrade to user "spot" via command line for security."

Most important warning indeed.

Have you had success running TBB as 'spot'?

On March 23rd, 2014 Anonymous said:

>.exe

You're running Windows on those specs?

Any version of Windows able to run on such old hardware, with only 384 MB RAM would be an old one that hasn't been supported with security updates for a long time.

I can only hope that your use of this box and certainly your running Tor on it, is for nothing more than testing/playing purposes.

On March 23rd, 2014 Anonymous said:

The minimum hardware requirements for Windows XP Professional include:
At least 64 megabytes (MB) of RAM (128 MB is recommended)

WinXP supported with security updates till April 2014.

On March 29th, 2014 Anonymous said:

If this is correct, then I stand corrected.

But since April 2014 is mere days away, the correction is largely moot.

On March 22nd, 2014 Anonymous said:

With an old pc windows 7 date/time, I can't connect with this bundle!
Bug?

On March 22nd, 2014 arma said:

Do you mean your clock is wrong and Tor no longer works for you?

Tor needs a roughly accurate clock to work. This has been the case for years.

On March 24th, 2014 Anonymous said:

Are you on Daylight Savings Time?

On March 22nd, 2014 Anonymous said:

TAILS seems have the same Browser(TBB) configuration? .Have questions:

NEW Browser version: max. aes_128 .............*WTF* again.
TLS 1.0 only activated? Why?
And who is responsible for that? I don't really like to now,but please change it.

Plus someone can make 'Connection Encrypted' info useable.Like Seamonkey.Or
why not?
If i would like browsing with thoughtless lollypolly Disney fastfood feeling,IE/Chrome would be my fav.

The new Firefox 30 look is......funny(-:,too

On March 22nd, 2014 Anonymous said:

Re screen-size

Under 3.5.2.1 I posted the following reply on the 17th:

"GK
Thanks for your response. I read the bug report you mentioned. Since I am a relative newcomer to this and I am not very knowledgeable about the workings of computers/browsers/Tor I didn't follow what was said very well.
All I can say is that I have used Tor for about 18 months and have always used ip-check.info as a test, The screen-size (ip-check calls it Browser Window - inner size) has NEVER been rounded to 100.
For Tor versions 3.5.2 and 3.5.2.1 I have also checked it with Panopticlick and (with Javascript enabled) Panopticlick gives the same screen-size as ip-check. IP Check gets the screen size whether JS is enabled or disabled.
Sorry, the above may not be much help but if you can tell me what else to check or which settings to change, if any, I will.
Thanks for your help."

I have just carried out the same tests with 3.5.3 and, guess what, exactly the same results as with 3.5.2 and 3.5.2.1.

If other people are getting 'rounded to 100' screen sizes it is possible that one of my settings is wrong, but I don't know what to do.
Please help.
Thanks

On March 23rd, 2014 Anonymous said:

ip-check.info ?

Still plain, unencrypted http. That means an exit node can tamper with the results.

If the JonDo folks behind ip-check can't or won't even bother to make the site HTTPS-encrypted and authenticated, then how can they be trusted?

On March 24th, 2014 Anonymous said:

As you obviously know more about these things than I do, I understand what you say.

However, as I have said, Panopticlick (with JS enabled) gets exactly the same screen-size as ip-check.info, so I think there must be more to it than tampering.

Also, ip-check can get the screen-size without JS.

On March 25th, 2014 Anonymous said:

Personally, I don't trust ip-check. Not that I think it's malicious, but aside from it's obvious commercial purpose, it makes up the unsubstantiated claim that a longer stream sessions such as the 10 minute one Tor uses is bad for anonymity, and encourages naive users to switch from Tor to JohnDonym as a solution, calling itself "stateless". In reality, a fully stateless anonymity system like that results in *less* anonymity, as it gives a passive adversary more opportunities to surveil and a greater chance of mounting a successful traffic correlation attack. If I recall, there are even several acedemic studies that show the reason why rapidly changing circuits is harmful to anonymity. JohnDonym doesn't even think to look this up before shouting to the naive masses that their commercial product is superior. It's not just problematic because it's dishonest, but because it gives that company a larger profit at the *expense* of the innocent user's anonymity. That's not all they've done to harm people. Who could forget that backdoor JohnDonym added to it's software at the request of the German government. With these points in mind, I urge people not to link to services such as ip-check because it lies to people in an attempt to sway them from a more secure alternative. Now, they aren't as bad as some companies (I'm looking at you, HMA), but they still don't deserve the extra traffic that comes to them when there are already plenty of less biased anonymity-checking websites.
/end rant

On March 29th, 2014 Anonymous said:

All valid points.

Additionally, the failure of JonDoNym to use HTTPS authentication by default for ip-check.info (and any other sites of theirs) should give pause to anyone.

On March 29th, 2014 Anonymous said:

I did not mean to suggest that the results you reported were the result of tampering. Nor that I had knowledge of any evidence of such tampering having ever occurred with ip-check.info.

Rather, I was merely pointing-out that the risk exists. And even if it would be determined to be relatively low, the mere failure, whatever the reason, of the JonDoNym folks to implement SSL/TLS across all of their WWW properties seems cause for concern to me.

On March 23rd, 2014 Anonymous said:

screensize-problem the same with me too. so no false settings with your tbb.

On March 25th, 2014 Anonymous said:

What OS?

On March 25th, 2014 gk said:

Are you resizing your window (this is not working properly at the moment)? If not, you may run into https://bugs.torproject.org/9268. If that is not plausible either, feel free to open a ticket in our bugtracker at https://trac.torproject.org/projects/tor. We'd need to take a closer look at your issue then.

On March 26th, 2014 Anonymous said:

GK

As I have said, I have read the bug report but don't really understand it. All I can say is that with Windows 7 and Tor 3.5.2 , 3.5.2.1 and 3.5.3 I NEVER get a rounded widow size - Panopticlick (with JS enabled) gets exactly the same window size as ip-check (with and without JS enabled).
To answer your specific question: No, I am not resizing my window. I don't know how to.

On April 4th, 2014 Anonymous said:

GK

As you have suggested, I have just tried to create a new ticket but when I go to the page that you have stated I just get:

"TICKET_CREATE privileges are required to perform this operation. You don't have the required permissions."

Pls let me know what I have to do.

Thanks

On March 25th, 2014 Anonymous said:

>it is possible that one of my settings is wrong
What your settings, do you know how to reproduce never rounded widow size?

On March 31st, 2014 Anonymous said:

Sorry, I don't know what you mean by: "do you know how to reproduce never rounded widow size?".

If, in fact, I do understand what you mean, I don't have to "reproduce" a 'never rounded" window size, I just have to check it via ip-check.info with or without JS enabled and via Panopticlick with JS enabled.

If I haven't understood you correctly, could you please explain what you mea. Thanks.

On March 22nd, 2014 Anonymous said:

Sometimes when I start the program it just refuses to open. I have to kill it ctrl+shift+esc and restart. This happens on all 3 of my computers. Has been happening since the first 3.x version. What's wrong?

On March 25th, 2014 gk said:

Might be https://bugs.torproject.org/9531. Does this happen randomly? Or only once? Or...?

On April 15th, 2014 Anonymous said:

It happens randomly. It rarely/never happens with 3.5.3, but it happens often with every other version. Might be coincidental, either way it stinks.

On March 23rd, 2014 Anonymous said:

What happened to the stable and unstable Expert Bundles for Windows? Are we supposed to build our own now? And please don't waste my time by telling me I *should* be using the browser bundle...

On March 23rd, 2014 Anonymous said:

The captchas in https://bridges.torproject.org/bridges?transport=obfs3 are way too hard and frustrating, please find another solution for it!

On March 24th, 2014 Anonymous said:

I agree 100%! I HATE difficult captchas.

On March 26th, 2014 arma said:

Keep an eye on https://trac.torproject.org/projects/tor/ticket/10809 and the tickets it links to.

On March 24th, 2014 Anonymous said:

There is a bug in TBB 3.5.3.

I am using OpenVPN to connect to one of the VPN gateways/servers, the protocol is TCP.

Next in a terminal window -I am using Debian- I launched TBB.

When I surf to a website, for example, Tails, I launch a root terminal window and type in the command netstat -rn

Notice that on eth0 and gateway 192.168.1.1, the destination corresponds to the IP address of the OpenVPN gateway/server.

The above did not happen with earlier versions of TBB.

I hope Tor developers can look into the above issue.

On March 24th, 2014 arma said:

What? TBB is an application. It just uses your network. It has nothing to do with (that is, no influence on) what your netstat says your gateways are.

On March 24th, 2014 Anonymous said:

It has nothing to do with (that is, no influence on) what your netstat says your gateways are.

Thanks arma for your reply.

About the steps that I undertook in my earlier post: what IP address will the destination website see? Tor's exit node IP address? or the IP address of my OpenVPN gateway/server? or both?

Would you be able to offer some suggestions on why some websites and forums recommend Tor users to use Tor over VPN or VPN over Tor?

On March 24th, 2014 Anonymous said:

Bring back expert bundles for windows please

On March 24th, 2014 Anonymous said:

I was wondering if I need start page and Ixquick which provide proxy and encryption. I noticed in this version of TOR bundle, HTTPS Anywhere is provided. Should I just get rid of start page and Ixquick?

On March 26th, 2014 Anonymous said:

HTTPS Everywhere have been bundled with the Tor Browser for a long time.

You are already using Tor, so you do not need to use ixquicks/startpages proxy service. Tor provides all the anonymity you need.

If the remote website you visit does not support end-to-end encryption (HTTPS), when it doesn't matter if you are using yet another proxy (ixquick/startpage), an attacker can still inject and observe data at some point (even if they cannot trace you).

Startpage is still a good alternative to use as a search engine.

On March 27th, 2014 Anonymous said:

Thanks for the reply. I just noticed HTTPS Everywhere does not encrypt some sites, and what is strange is that ixquicks does allow me to encrypt the same sites that HTTPS does not encrypt, and I can see in the URL address starts with https when I get connected. Can I trust this connection?

On March 29th, 2014 Anonymous said:

That is because that site does not support HTTPS. Your connection to ixquicks proxy is encrypted using HTTPS, but the connection between ixquick and the actual site is not.

On March 29th, 2014 Anonymous said:

"If the remote website you visit does not support end-to-end encryption (HTTPS), when it doesn't matter if you are using yet another proxy (ixquick/startpage), an attacker can still inject and observe data at some point (even if they cannot trace you)."

Let's see if we can unpack this...

A web proxy, such as the one ixquick/startpage offers, could indeed tamper with any content it fetches before returning it to you. This is just as an exit node could. But ixquick is far more trusted than a random exit node that could be rogue.

On March 29th, 2014 arma said:

True, sort of.

Also anywhere in the network between ixquick and the destination website could mess with the traffic (just as, without ixquick, anywhere in the network between the exit relay and the destination website can mess with it).

If you trust ixquick more than your exit relay, and also your destination doesn't support https, then it may make sense. This is similar to using Tor to reach your VPN, and then accessing all the destination websites via the VPN provider.

One downside though is that you're centralizing your outbound traffic, such that an adversary who watches ixquick's network gets to see all your traffic, where before maybe they wouldn't get to see it at all. Seeing the outbound side of your circuits is not the end of the world (they need to see the inbound side too in order to win), but it does get them halfway there.

On March 24th, 2014 Anonymous said:

Why is torrc blank??? I tried writing in it and tor doesn't open...

I overwrote 3.5.2 and running in a Trucrypt encrypted drive...

Thanks

On March 24th, 2014 arma said:

torrc is blank because it uses both torrc and torrc-defaults. Only new modifications go into torrc.

As for "I added lines to torrc and now Tor doesn't open", it sounds like you added bad lines. :)

As for overwriting, be aware that this may or may not work for you. If you get weird behavior, try doing a fresh install.

On March 25th, 2014 Anonymous said:

same adds---

---------------------------------
ExitNodes {US}
StrictNodes 1
------------------------------
works on 3.5.2 which I am on now... I will try 3.5.3 again but please confirm this is the right ditty...

I just want to save my settings and avoid a fresh install but if I have to I will...

Thank you for your help,,, I am not a complainer just lazy :)

On March 25th, 2014 Anonymous said:

I'm still using tor-browser-2.3.25-1
Please fix the cookie problem...it's been old.
https://trac.torproject.org/projects/tor/ticket/10353

On March 28th, 2014 Anonymous said:

The last Tor version that works with cookies for me is 2.5

On March 25th, 2014 Anonymous said:

How do I know if the data between my server and the onion site is actually encrypted? We are told it is but how can that be proved?

Been having lots of problems with Noscript and no longer trust it.

On March 26th, 2014 arma said:

As for how it can be proved, the whole thing is open source, and we give you a design document and spec too:
https://www.torproject.org/docs/documentation#DesignDoc
So you could look at everything and decide for yourself. Or if it's too complicated for you, you could ask anybody in the world to do it for you.

On March 29th, 2014 Anonymous said:

With HTTPS, one can verify the fingerprints of the certificate.

Is there anything comparable when it comes to .onion sites?

(A means of authenticating that is comparably simple and quick?)

On March 29th, 2014 arma said:

Tor does it for you.

For normal https, checking the certificate makes sense, because it's signed by one of 300 or more certificate authorities, most or all of which have nothing to do with the website you're trying to reach. The traditional CA model is a disaster.

But for Tor hidden services, the addresses are self-authenticating. Tor will verify, for sure (unless the crypto is broken), that you really are reaching the site whose address you told Tor to go to.

Of course, you have to make sure to be trying to go to the right address. If you click on one from a random website that *looks* like your intended hidden service address but actually it's one letter off, then all bets are off.

On March 25th, 2014 Anonymous said:

disregard last comment,,, This is Trucrypt weirdness the overwrite and addition of
--------------------------------------------
ExitNodes {US}
StrickNodes 1
-------------------------------------------

in torrc worked outside of the trucrypt container...

I then added the lines
--------------------------------------------
ExitNodes {US}
StrickNodes 1
-------------------------------------------
to the torrc-default in the truecrypt drive and FF did not open but when I pulled the lines out of torrc-default the torrc addition worked as you noted...

Thanks!!!

On March 26th, 2014 arma said:

"strick"?

On March 25th, 2014 Anonymous said:

Seems bizarre that an app that needs to be kept up to date requires manual uninstallation and reinstallation (plus bookmark migration) on every upgrade. Could the installer not handle this, hopefully including bookmark migration? Preferably via transparent automatic / approved update within the app itself, per normal browser updates.

Thanks to the team for their invaluable work!

On March 29th, 2014 Anonymous said:

Haven't there been comments from Tor devs stating that they are indeed working on implementing the very type of functionality that you describe?

On March 29th, 2014 arma said:

Yes. Keep an eye on https://trac.torproject.org/projects/tor/ticket/4234

It's gotten easier now that we've gotten Vidalia out of the way, since now it really is just a browser with some extensions. But there's still a lot of work involved in doing it right, and a lot of downside involved in doing it wrong.

The above sentence appears on following page:
https://www.torproject.org/download/download.html.en

It doesn't appear on this page though:
https://www.torproject.org/download/download-easy.html

Is this intentional?

On March 26th, 2014 arma said:

Good catch. Should be fixed now. Thanks!

On March 26th, 2014 Anonymous said:

A question to TAILS. =TBB ?

Everytime you open new browser,
connections to check.torproject.org:443 (customs here ! ?) AND

Wikipedia , Google ! Whats that?

On March 27th, 2014 Anonymous said:

"Wikipedia , Google"

have seen this,too.
anyone can explain?

Thank you

On March 29th, 2014 Anonymous said:

My bet is that the favicons for those two sites is not bundled with the browser for some reason, but is required by the search bar. So they are downloaded on first startup.

But that is just a guess.

On March 29th, 2014 Anonymous said:

TTB is tor plus browser etc that you install on your HD.

Tails is a linux live disk that includes tor and much else. It is set up so it never writes anything to your HD

On March 26th, 2014 Anonymous said:

@ Arma,

My system date and time were old(but I didn't know that) due system problems.
But I saw this after a while, when trying to connect with Tor on the internet.
After changing the system date and time, the problem with Tor was over.

On March 26th, 2014 arma said:

Great.

On March 26th, 2014 Anonymous said:

When do you release 0.2.4.21 expert bundle?

On March 26th, 2014 Anonymous said:

when right click on the -"Start Tor Browser" (exe) icon- in windows, it says "Date Modified: Saturday, ‎January ‎01, ‎2000, ‏‎2:00:00 AM" -.... IS IT NORMAL?

but MINE DOESN'T SHOW 1999... It shows 2000!!!!!!!! HAS IT BEEN TAMPERED WITH????

On March 28th, 2014 arma said:

Read the faq entry. It's because of time zones. It's fine.

On March 29th, 2014 Anonymous said:

Arma is saying that the time/date stamp in question (Saturday, ‎January ‎01, ‎2000, ‏‎2:00:00 AM) is not evidence of tampering.

But, for any download, the only way to actually answer the question,
"HAS IT BEEN TAMPERED WITH????", with any degree of certainty, is through proper verification of the downloaded file. In the case of TBB, this means following the instructions for verifying the digital signature.

On March 29th, 2014 arma said:

Right.

On March 26th, 2014 Anonymous said:

A Tor Browser Bundle repository for linux would be nice. That way updates are handled automatically.

On March 29th, 2014 Anonymous said:

But what would be involved in implementing a sufficient degree of authentication for anything and everything obtained through said repo?

On March 27th, 2014 Anonymous said:

startpage.com is not safe!!. i cant believe you guys are using it as standard search engine on tor browser. startpage tracks your IP adress and sends it on to google. want to see the proof??? go search for a normal word. for instance you can search for a company name. then look at the top results. look at the sponsored results AND the top non sponsor results too. they are based on your IP adress. if you search from SPAIN IP adress first couple of results will be from SPAIN sites. search for same term from US IP adress. results will be from US sites. THIS DOESN'T HAPPEN FOR ALL KEYWORD. TRY IT WITHOUT USING TOR then it will be more clear. the results will be specific to your country

On March 28th, 2014 Anonymous said:

WTF! It's true. Startpage and ixquick show country specific results. Never using startpage or ixquick searches again.

On March 28th, 2014 Anonymous said:

Do you mean startpage sends a Tor IP to google or the actual IP where I am connected to my ISP?

On March 29th, 2014 Anonymous said:

startpage and ixquick SUCKS. They send your IP address to Google. They are the biggest online marketing fraud Ive seen. If you use TOR you should be protected. Many people dont use tor and trust them

On March 29th, 2014 Anonymous said:

Wait...

Are you sure that startpage doesn't first deduce the location from the IP address and then forward only the location to Google?

On April 1st, 2014 Anonymous said:

"Are you sure that startpage doesn't first deduce the location from the IP address and then forward only the location to Google?"

they only deduce the location.... then disregard the IP.... hahaha sure.... Trust them with your data

Even if thats all they do with your ip...they are still a fraud and lie in their privacy policy

On March 29th, 2014 Anonymous said:

A Tor exit node IP, if you are using Tor.

Startpage (or any other site for that sake) cannot learn your real IP while using Tor.

On March 28th, 2014 Anonymous said:

I think you are right regardless of what startpage says re/ their sending anonymous requests to google. What browser do you use with Tor bundle?

On March 29th, 2014 Anonymous said:

"What browser do you use with Tor bundle?"

Did you, perhaps, mean to write, 'Which search engine do you use with Tor Bundle?"

On March 29th, 2014 arma said:

Right. Be sure to read https://www.torproject.org/docs/faq#TBBOtherBrowser

On March 27th, 2014 Anonymous said:

Hello
I just wonder;
What happen if I use "vpn gate" and "tor browser" together? I always use vpn gate and than I connect with the tor browser, is it ok? or I could get some security connection problem? Thanks for help.

On March 27th, 2014 Anonymous said:

I love you guys! thanks!

On March 27th, 2014 Anonymous said:

"and a way to prevent disk leaks when watching videos." Does this help fix https://trac.torproject.org/projects/tor/ticket/7449 which is titled: "TorBrowser creates temp files in Linux /tmp & Windows %temp% and OSX(various places) during the file downloads dialog & when using internal browser video player"

On March 28th, 2014 Anonymous said:

Seems to be a problem with the latest TOR and using flickr . If Javascript is enabled to sign on and view albums, with this version the comments do not show up. Tried everything with No Script to fix it but even if noscript is disabled when clicking on 'comments' it just reverts to the image. Could be a no script error or maybe a change with flickr scripts? Any ideas?

On March 29th, 2014 Anonymous said:

Perhaps you had disabled JavaScript via about:config and then forgotten that you had done so?

Another possibility: scripts from other domains than just flickr.com likely need to be enabled for comment functionality.

(Knowing which domains one must enable scripts from in order to get a give function, such as comments, etc., can be quite a challenge.)

Finally, do you have an Ad Blocker enabled?

On March 30th, 2014 Anonymous said:

Downloaded the new beta version and suddenly flickr is working again.

>do you have an Ad Blocker enabled?
Not an independent program, just as part of my firewall. Anyway the beta seems to have fixed it. Thanks for response.

On March 29th, 2014 Anonymous said:

Hello,

Just installed the latest version of Tor Browser version 3.5.3 and looking at Firefox Addons found two addons that sound interesting. I am not sure if I need them with Tor so any input is appreciated

RequestPolicy: Block images not from site you are on ( advanced privacy ) addons . mozilla . org/en-US/firefox/addon/requestpolicy/

Noscript is the only addon I am using, but I did change the value in about:config from https://secure.informaction.com/ipecho/ to http://127.0.0.1/

Thanks

On March 29th, 2014 Anonymous said:

Is adding more bridges adds more anonymity to my Tor session, or not?
By the way thank you for changing the captchas in the bridges page on bridges.torproject.org

On March 29th, 2014 arma said:

Adding more bridges probably hurts your anonymity if anything. The more bridges you have, the greater the chances that one of the bridges is observable by your adversary. The ideal case would be to use one very safe (i.e. well located with respect to your location and the parts of the Internet your adversary can see, and also not operated by your adversary) and very stable bridge. The tradeoff of course is that maybe you don't have one.

This question is very related to the question of how many guards you should have:
https://blog.torproject.org/blog/improving-tors-anonymity-changing-guard-parameters

On March 30th, 2014 Anonymous said:

I run an hidden service using non-https connections, what are the advantages and disadvangates of switching to https (like duckduckgo's https://3g2upl4pq6kufc4m.onion)?

On March 30th, 2014 Anonymous said:

when i tried this link, Tor browser displayed a man in the middle warning??

On March 31st, 2014 Anonymous said:

If you click the warning you'll see that the certificate belongs to DuckDuckGo, verifying the connection's security and not the opposite: the server does belong to DDG and so does the ceritificate.

On April 1st, 2014 Anonymous said:

Copy and paste https://3g2upl4pq6kufc4m.onion and maybe you'll get the same message?

This is the message I get when trying https. I have tried a few times and the result was the same. I have tried many other https sites and all were fine except this site.

Please make add-on updates disabled by default in clean TBB installs. I made clean install and as soon as I launched TBB it connected to Tor and updated HTTPS-Everywhere to version 3.4.5 even before I managed to open add-ons and disable automatic updates.

It is known danger that exit nodes can supply tampered add-ons. Even HTTPS is not a solution because powerful enemies can have target server private keys. Lavabit is example how they request SSL key copies.

On April 3rd, 2014 gk said:

Disabling automatic updates in TBB leads to a huge amount of users never updating their extensions which is bad. That said you should not have encountered the problem you describe in the first place as we a) ship TBBs with the latest extensions installed. Thus, if you update your old TBB in a timely fashion everything should be fine. And b) HTTPS-Everywhere is already shipped in version 3.4.5 since TBB 3.5.1.

On April 3rd, 2014 Anonymous said:

Probably better solutions to add-on auto updates a) When updating TBB make installer install latest add-ons
b) encourage users to make clean installs (with backing up and later restoring bookmarks) as I do.

Updating TBB by writing over older versions can lead to various unexpected problems in addition to easier browser fingerprinting (various custom settings accumulated from previous versions that cold distinguish from clean install of latest TBB).

On April 3rd, 2014 Anonymous said:

I can't see the saved cookies in Browser.
How can i change this odd Browser behaviour??

Sounds like you might have not downloaded it fully, or it got corrupted, or you're checking the signature on the wrong one, or something.

On April 8th, 2014 Anonymous said:

no return to connect screen after hitting "open settings" button at start.

i miss the message log from vidalia control panel. it was very helpful if u ve a very slow inet connection.

On April 8th, 2014 arma said:

I miss it too. Maybe somebody here will help add something like it to Tor Launcher?

On April 8th, 2014 Anonymous said:

I just installed TBB 3.5.3 on a WIn 7 box by clicking on the downloaded file. However, the installer (1) didn't place anything in the START menu; (2) did not make any type of shortcut on the desktop; and most importantly (3) is not listed as being "installed" in the Windows Control Panel. Is TBB 3.5.3 some sort of a stand-alone product that isn't subject to a normal installation process? If this is the case, where and what executable do I click in order to start the TBB?

Thank you.

SLG

On April 8th, 2014 arma said:

Correct, TBB is a standalone program. The installer helps you choose where to put it. You run it by going into whatever folder you installed it to, and running "Start Tor Browser".

I have two issues I frequently run into when installing TBB, as I did today on Mac OS X 10.9.2: First, TBB ignores the "normal" OS X way of installing as admin only (possibly additionally permitting them for others, too, as I was sometimes asked), but later using the applications as non-admin user, too. This doesn't work with TBB, but it forces me to install while logged in as the non-admin, who later wants to run TBB, but of course only with admin pass. Just weird.

Second: I have a local Apache webserver at
http://127.0.0.1/some-symlink-directory/
which serves for local development, and it is defined as homepage in all my browsers, but every new TBB refuses to connect.

On April 11th, 2014 Anonymous said:

Hi dear Tor Team, You're SO great. Thank You, I mean it.

I would want to run two instances of Tor in the same system at the same time, because: I got running some music online flash sound site under Tor in my Linux Mint, but of course, using flash is only good for visual content and so mostly for video and or audio sites, and flash has "low security" in that sense, that in can betray one's IP adress. I would want to run another instance of Tor, where I blog. I already realized, that Tor starts slowly to maybe not at all, if the with mostly "US" ending directory, to which Tor is extracted under Linux, is renamed to anything else. But, the directory can be anywhere. So, I put the "Tor2", as I call it, by desktop link merely, into another directory, and if Tor1 from my normal Tor directory is not running, all is well, Tor2 works, and I can have two (or nor so many) sets of "profiles", so to speak, simply by cloning the first normal directory, copying it, into other directories, and always running, which as of now is only so possible, always only running ONE instance at a time. Because: I tried it out just before. It said, "Tor exited in an abnormal fashion", and it EVEN disturbed fundamentally the running Tor(2, as I call it) sound session with that flash site. Though, that the sound, the next playlist item running, on that flash sound site, did not ensue, can be another reason also, since it just now again stopped. Under Tor, okay, I do take some, well, A LOT of respect to Tor, AND I do hope, that loading youtube vids over Tor does not disturb the Tor servers, by the way, since that soundsite is accessing youtube vids, but of course, by going on that other site, I don't have to go directly on youtube. But, also a bug on that other site, which loads no playlist items anymore after any error occured like "not allowed in your country" (not funny I hate it as we all do!) is displayed, so I'll have to bug the maker of that sound site. What I would find great, is, if we could run at least two sessions, instances of Tor, at the same time, and those two Tor sessions being able to have fully different settings, different activated, installed plugins and all settings. Would be GREAT. Also, do tell people if the Tor Team does not wish people, Tor surfers, to use Tor for youtube-videos accessed by non-youtube sites, since the traffic amount stays the same. I'd say, there are at least 1000 Tor servers worldwide, and Tor MUST announce it BIGTIME on the FIRST upper part of their website, if people should not overload the Tor servers by accessing youtube or other video sites. Thank You, Tor Team, like Assange, we who are for him and You too in a different, technical way, we are the good Ones. Skol. Cheers.

On April 12th, 2014 Anonymous said:

If getting "can't load XPCOM and you are using Webroot --
You just need to 'allow' xul.dll
In Webroot go to:
Identity Protection
Application protection
Allow - xul.dll
See more here:https://community.webroot.com/t5/Webroot-SecureAnywhere-Complete/tor-show-error-quot-can-not-load-xpcom-quot/m-p/92484/highlight/true#M6361